The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- Supply chain risk: Washington State Auditor’s Office exposed by vendor’s legacy product.
- SolarWinds: FBI investigates involvement of Chinese threat actor and more vulnerabilities patched.
- E-skimming: Costway targeted by piggyback attacker.
- Espionage: ISPs and telecoms compromised by Hezbollah-affiliated group.
- Groundhog Day, patch style: Patching known vulnerabilities could defend against zero-days.
- Ransomware reinfection: Victim hit twice in two weeks, after failing to identify root cause.
- Phishing gets real(time): New phishing kit adapts to victim in real time.
Accellion’s legacy product exposes the Office of the Washington State Auditor
- Attackers exploited vulnerabilities in Accellion’s legacy file transfer product, accessing claims of over 1.4 million Washington state residents. The data stolen include names, social security numbers and bank account details, sparking fears of identity theft and fraud.
- The product was first exploited in December 2020. The State Auditor says Accellion failed to notify them. A class-action lawsuit against Accellion has been filed.
So what? Increase scrutiny of digital supply chain vendors by conducting regular audits, particularly on applications used for critical data functions. Upgrade away from legacy software products, if feasible.
SolarWinds: Enter China and more vulnerabilities discovered
- Suspected Chinese hackers exploited another SolarWinds vulnerability to compromise US government agency. An FBI investigation shows the US National Finance Centre, a government payroll system, fell victim to the hackers. Fears remain that further government systems were compromised.
- SolarWinds has patched three new critical vulnerabilities in its software, including two in its Orion platform. Proof-of-concept code for exploits are due to be released next week.
So what? Ensure that all SolarWinds patches are applied without delay before attackers can exploit the newly discovered vulnerabilities.
E-Skimming victim Costway reinfected by piggyback attacker
- The actor known as Magecart Group 12 targeted roughly 2,000 previously infected companies to steal credit card details.  A known exploit in the deprecated Magento 1 e-commerce platform led to it being infected with malicious e-skimming scripts. Magecart Group 12 leveraged the scripts left by other hackers to steal credit card data from Costway.
So what for security teams? Any companies still using Magento 1 software should immediately migrate to the more secure Magento 2.X software.
Hezbollah-affiliated hacking group compromised ISPs
- At least 250 web servers owned by telecoms and Internet Service Providers (ISPs) were hacked. The group, known as Lebanese Cedar, conducted a year-long hacking campaign targeting ISPs and telecoms in the US, the UK, Israel, and other countries.
- The attacks were designed to gain intelligence and steal databases containing sensitive information. The group exploited outdated Atlassian and Oracle servers to gain access.
So what? This operation exploited outdated vulnerabilities in public facing infrastructure. Make sure any publicly exposed infrastructure is patched and scanned regularly for vulnerabilities.
Patching could defend against zero-days in the wild
- A quarter of zero-day vulnerabilities discovered in 2020 could have been avoided by patching. Google found that 1 out of 4 zero-days were closely related to previously disclosed vulnerabilities.
- Threat actors used variations of known exploits to develop new zero-days. In some cases, threat actors altered only one or two lines of code to create a new zero-day exploit.
So what? Patch. Not only could it protect your system from known exploits, it may just prevent a threat actor from deploying a new zero-day.
Ransomware reinfection: Same group compromises company twice in two weeks
- A ransomware victim paid criminals a seven-figure ransom, only to be reinfected two weeks later by the same gang. The UK government warned that criminals can look to re-deploy ransomware using the same mechanisms against the same victim.
- Lesson: Ransomware is a symptom of an embedded threat actor. Failing to identify how the actor compromised the network, established persistence, and stole files, led to the unnamed victim paying ransom twice.
So what? While retrieving data is often a priority, remember to conduct a thorough investigation to learn how an actor compromised your system and close any security gaps identified.
Phishing gets real(time)
- New phishing kit developed to change in real-time, adapting to victim. Dubbed LogoKit, the phishing tool was found installed on over 700 sites in the last month.
- LogoKit’s script dynamically alters content. The victim is presented with their email address and company logo, to trick them into disclosing corporate credentials.
So what? Phishing tools are getting simpler to deploy and more sophisticated at tricking a victim. Train your employees to spot phishing attempts, no matter how personalised.